Luke Carrier

Allowing password authentication over SSH for only a specific group

Published 3 years ago

For security reasons it's generally advisable to disable password authentication on publicly accessible SSH servers, but n some shared hosting configurations it can be convenient to grant some users the ability to use passwords.

Initial configuration

This one off configuration will disable password authentication for all users, then add a rule which explicitly grants users within a specific group the ability to use passwords for authentication.

As a precaution, be sure to keep an active SSH session open while you're applying these configuration changes, and ensure you're able to authenticate with SSH before closing it.

Create the new group

$ sudo groupadd sshpasswd

Reconfigure SSHd

Find any references to PasswordAuthentication in /etc/ssh/sshd_config which aren't commented out and either remove or alter (to no) each of these entries. This will prevent all users who don't specifically match a rule allowing password authentication from using this authentication method.

Then, append the following to the very end of the file:

Match group sshpasswd
        PasswordAuthentication yes

And instruct SSHd to reload its configuration:

$ sudo service sshd reload

Everyday administration

From now on, managing authentication is merely a case of managing group membership.

Enabling password authentication

$ sudo usermod -aG sshpasswd jbloggs

Disabling password authentication

$ sudo usermod -G jbloggs

Listing all users granted password authentication

$ grep -E '^sshpasswd:' /etc/group | cut -d: -f4